OPEN_SOURCE ↗
HN · HACKER_NEWS// 29d agoTUTORIAL
gVisor on Raspbian needs VA_BITS_48
Nubificus shows why gVisor fails on Raspberry Pi OS Bookworm by default: the kernel is built with 39-bit virtual addressing, which starves gVisor’s userspace kernel memory layout. The post walks through verification, reproducing the failure, and rebuilding the Pi kernel with 48-bit VA support so runsc works reliably.
// ANALYSIS
This is a practical infra debugging guide that turns an obscure kernel panic into a repeatable fix for edge container security.
- –Root cause is explicit: `CONFIG_ARM64_VA_BITS_39=y` on Raspbian vs `VA_BITS_48` on Ubuntu ARM kernels.
- –It maps the failure to real symptoms (`cannot allocate memory in static TLS block`) instead of hand-wavy “gVisor doesn’t work.”
- –The guide includes end-to-end steps: check kernel config, install `runsc`, test with `nerdctl`, rebuild kernel, and verify after reboot.
- –For teams running untrusted or LLM-generated workloads on Pi-class hardware, this closes a critical sandboxing gap.
// TAGS
gvisoropen-sourceself-hosteddevtoolcloud
DISCOVERED
29d ago
2026-03-13
PUBLISHED
30d ago
2026-03-13
RELEVANCE
6/ 10
AUTHOR
_ananos_